The vendor of a certain, seven-figure software package that Thijs B's company relied on just released a new version that was no longer end-user configurable. Well, technically, it was... it just required the purchase of a $100,000 "configuration tool" instead of simply editing an XML file. While dropping $100K isn't too bad for most companies in the seven-figure software market, this particular company was frugal and thought it'd be worth investing some time before dropping a giant wad of cash. So, it was up to Thijs to see if the product was still configurable without the new tool.

Thijs opened up the familiar fieldset.xml file, but instead of finding a convoluted — but human-readable — mess of XML, he found this:

	<?xml version="1.0" encoding="utf-8"?><FieldSmartConfiguration encoding="basic">

Given the technical maturity of their software, Thijs was confident that it would be possible to break this. He first set off to disassemble their .NET configuration tool, but that appeared to use a custom-crafted, native dll to retrieved the content of the XML file. Not backing down from the challenge, he noticed they were relying on the Windows Crypto API, so he opened windbg to trace the API calls, the encryption type, and hopefully, the decryption key.

After a bit of debugging, he saw the CryptAcquireContext() passing along and quite a few CryptGenRandom() calls, but no CryptDecrypt. But then he realized something: the calls had less to do with code they wrote, and more what .NET was doing behind the scenes to verify the assemblies or so. Were the files even encrypted?

Thijs paid a little closer attention to the text, and noticed the telltale + symbols throughout, and a telling == at the end. After recovering from a sobering facepalm, he opened up a quick Base64 decoder, and pasted the giant Base64 string in. In the blink-of-an-eye, this is what came out:

<Zone id="1" name="Zone 1" desc="Zone 1">

Amazingly, the vendor didn't even put any real effort in securing what they wanted secured. They did, however, completely re-implement Base64 by hand. That has to be atleast worth $64K.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!